Summary
- Unicore actively manipulates the DIPS journal file — an unusual behavior not seen in most cheat loaders, indicating deliberate anti-forensic intent toward diagnostic logs.
- C2 resolves to an OVH VPS hostname (vps-b7a11d64.vps.ovh.net) — DNS cache entries for this hostname are the primary network indicator.
- The string Unicore is present in FiveM_GTAProcess.exe memory during an active session, confirming active injection into the game process.
- Windows Event Log entries and Journal Trace artifacts persist after the session until explicitly cleared.
Overview
Unicore is a commercially distributed FiveM cheat loader. Its primary executable is build.exe, weighing approximately 18.2 MB. The loader communicates with a C2 hosted on an OVH VPS at vps-b7a11d64.vps.ovh.net rather than using a branded domain. This is a deliberate infrastructure choice that avoids registering a recognisable domain name, making domain-based blocklists less effective.
Unicore is notable for actively manipulating the DIPS (Diagnostic Information and Problem Solving) journal file — an anti-forensic behavior not commonly observed in other FiveM cheat loaders. Despite this, it leaves several artifacts that are straightforward to locate during a screenshare, including the cheat name itself as a string in the FiveM game process memory.
Sample metadata (IOC)
The following file was recovered and added to the research corpus. All hash values are provided for cross-platform matching.
Name build.exe Size 19,094,628 bytes (18.2 MB) SHA-256 abc43e9dd40572b1bf1164fb9007bce0c47b5364eaa900fd3cb129e5bad178cb SHA-1 10670d690076971e39bf393a184486477ce5d95e MD5 0855c5f455e5204cd018bc93abc77a11 First seen 2024-11-07 13:29:48 UTC (DPS timestamp) PcaSVC 0x227e000 C2 vps-b7a11d64.vps.ovh.net (OVH VPS) → Observed in: DNS cache FiveM "Unicore" string present in FiveM_GTAProcess.exe LSASS No C2 strings observed
The DPS timestamp of 2024-11-07 13:29:48 is written by the Windows Program Compatibility Assistant service at first execution and cannot be cleared by the same cleanup routines that wipe Prefetch or browser history.
Behavioral indicators
1. DIPS journal file manipulation
Unicore actively manipulates the DIPS (Diagnostic Information and Problem Solving) journal file. This is an unusual behavior not seen in most cheat loaders. When investigating, check the DIPS journal for signs of tampering or unexpected entries. The Journal Trace will show this manipulation as file write events against the DIPS journal path.
2. OVH VPS C2
Unicore's C2 resolves to an OVH VPS hostname (vps-b7a11d64.vps.ovh.net) rather than a branded domain. DNS cache entries for this hostname are the primary network-layer indicator. A resolved entry for this specific hostname in ipconfig /displaydns output is not attributable to any legitimate software and confirms Unicore C2 contact.
3. “Unicore” string in FiveM process
The cheat name itself appears as a string in the FiveM game process memory, likely from an in-game overlay or menu label. A memory string scan for Unicore in the FiveM_GTAProcess.exe working set confirms active injection into the game. No equivalent string has been observed in lsass.exe for this cheat.
4. Windows Event Viewer entries
Unicore's activity generates Windows Event Log entries. Check Event Viewer for relevant error or application events timestamped around the suspected usage period. These entries persist until the event log is explicitly cleared.
Memory artifacts
The two primary in-memory indicators for Unicore are the DNS cache entry for the OVH VPS hostname and the Unicore string in the FiveM game process.
DNS cache — OVH VPS hostname
The DNS resolver cache will contain an entry for vps-b7a11d64.vps.ovh.net after any session where Unicore made a C2 connection. Running ipconfig /displaydns or inspecting the cache through System Informer will show this entry for the duration of the DNS TTL.
FiveM process — “Unicore” string
A memory string scan of FiveM_GTAProcess.exe for the string Unicore returns a positive hit when the cheat is actively injected. This is the clearest live-session indicator and distinguishes Unicore from other loaders that do not embed their product name in the game process memory.
Screenshare check guide
Work through these steps in order. Steps 1 and 2 are the fastest and will catch most active sessions. Steps 3–7 cover machines where the user has attempted cleanup.
FiveM memory string scan for “Unicore”
- If FiveM is currently running, open System Informer and locate FiveM_GTAProcess.exe.
- Perform a memory string scan and search for Unicore. A hit confirms active injection — this string is not present in a clean FiveM installation.
DNS cache for OVH hostname
- Run ipconfig /displaydns in Command Prompt or use System Informer's DNS section.
- Search the output for vps-b7a11d64.vps.ovh.net. This hostname is not associated with any legitimate FiveM or Windows component. A cache hit confirms a C2 connection was made during the current or a recent session.
DIPS journal check
- Examine the DIPS journal for signs of tampering or unexpected modification timestamps. Unicore manipulates this file, so evidence of recent writes to the DIPS journal outside a normal diagnostic context is an indicator.
Event Viewer check
- Open Windows Event Viewer and check the Application and System logs for entries timestamped around the suspected usage period.
- Look for error or warning events that correspond to the time FiveM was active. Unicore activity generates Event Log entries that persist until the log is manually cleared.
DPS / PcaSVC timestamp
- Use a DFIR tool to inspect the PcaSVC and DPS log entries for build.exe.
- The DPS timestamp of 2024-11-07 13:29:48 and PcaSVC token 0x227e000 correspond to the known build. Any build.exe PcaSVC entry with an unusual path warrants investigation.
Journal Trace
- Run a Journal Trace on the system drive (Drive C:) and filter for entries related to Unicore's activity period.
- Look for DIPS journal write events and any other file system activity from build.exe or associated processes.
Prefetch
- Navigate to C:\Windows\Prefetch and look for a file matching BUILD.EXE-*.pf.
- Confirm that the path recorded inside the Prefetch file corresponds to a user-writable or suspicious location rather than a legitimate build toolchain installation.
Detection summary
Artifact Survives cleanup? Check location ──────────────────────────────────────────────────────────────────────────────── PcaSVC / DPS timestamp Yes AppCompat / DPS log DIPS journal manipulation Yes DIPS journal check Prefetch (build.exe) Usually C:\Windows\Prefetch DNS cache (OVH VPS hostname) Session-length ipconfig /displaydns "Unicore" string in FiveM process Only while running Memory string scan Windows Event Log entries Yes (until cleared) Event Viewer Journal Trace entries Yes Drive C: journal trace
The most immediately actionable indicators are the “Unicore” string in FiveM_GTAProcess.exe memory during an active session, and the DPS/PcaSVC timestamp for build.exe after the fact. The Windows Event Log entries and DIPS journal manipulation provide additional corroborating evidence that does not require memory access. The OVH VPS DNS entry is useful for session-length confirmation but will not survive a DNS cache flush.
Defensive material
All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop.